Security researcher Lukasz Olejnik says it is possible to slurp sensitive data with the ambient light sensors installed in many smartphones and laptops.
The sensors are there so that devices can automatically change the brightness of screens, a handy trick that save scrambles to change settings.
But Olejnik says such sensors are dangerous because the World Wide Web Consortium (W3C) is considering “whether to allow websites access the light sensor without requiring the user’s permission.” That discussion is taking place in the context of giving web pages the same access to hardware that native applications enjoy.
If web pages can do so, the sensor can be made to detect variations in brightness on a device's screen so, for instance, the sensors could “read” a QR code presented inside a web page, Olejnik says. And seeing as QR codes are sometimes published as an authentication tool for chores like password changes, Olejnik thinks that's a worry.
As readers are doubtless aware, many sites change the colour of links when a user has visited them. Olejnik has used the ambient light sensor to detect that change and therefore infer a user's browsing history.
There's some good news in the revelation that the attack is slow: it took Olejnik 48 seconds to detect a 16-character text string, and three minutes and twenty seconds to recognise a QR code. Few users would keep a QR code on screen that long, but it's still unsettling to know the sensors are an attack vector.
Olejnik proposes a pleasingly simple fix. If the API limits the frequency of sensor readings, and quantized their output, the sensors could still do their job of shining a light on users but would lose the accuracy needed to do evil.
This is not the first time an API has been shown to enable invasions of privacy and/or security worries. Apple and Mozilla recently disabled a battery-charge-snooping API that Olejnik thinks Uber used to figure out the state of customers' phones so it could charge them more for rides when their batteries are close to expiring. Chrome has also adopted a Bluetooth-sniffing API, sparking calls for users to be offered a chance to disable it. ®